Set up ipsec VPN with Strongswan on Ubuntu with PSK for roadwarrior use

This post shows how to setup an ipsec VPN connection in roadwarrior fashion. Roadwarrior mode is where you typically have a mobile device which has a dynamic address and you want to connect back to a VPN server. This post uses a simple pre shared key to establish the VPN connection using strongswan. This is much simpler than my past openswan approach which also relied on L2TP, Pluto etc. needing to be configured. Performance also seems to be better with VPN connections establishing much faster.



1. Install strongswan and the xauth plugin

sudo apt-get install strongswan strongswan-plugin-xauth-pam

2. Establish the VPN ipsec configuration

sudo vi /etc/ipsec.conf

Contents

config setup
# strictcrlpolicy=yes
# uniqueids = no
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
charondebug=1
uniqueids=yes
strictcrlpolicy=no

conn tunnel
        keyexchange=ikev1
aggressive=no
        leftfirewall=yes
        left=192.168.1.100
leftsubnet=0.0.0.0/0
right=%any
        rightsourceip=10.0.0.2
rightdns=192.168.1.1
        rightsubnet=0.0.0.0/0
        authby=xauthpsk
        xauth=server
auto=add
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel


3. Create the pre shared keys used to encrypt the VPN

echo | shasum -a 512 

This has will be inserted as the PSK hash into the secret file in the next step.
4. Create secrets file

sudo vi /etc/ipsec.secrets

Contents

USERNAME : XAUTH PASSWORD

%any %any : PSK "INSERT KEY HASH"

Whereby
USERNAME is the username you want to login with.
PASSWORD is the password you want to login with.
INSERT KEY HASH is the PSK generate by the prior command, keep the quotation marks.


5. Set file permissions so people can not view your keys

sudo chmod 600 /etc/ipsec.secrets

6. Tell the server to forward VPN traffic

sudo vi /etc/sysctl.conf

Find and change the follow from 0 to 1

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

7. Set up the Firewall

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -m policy --dir out --pol ipsec -j ACCEPT

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -j MASQUERADE

sudo ufw allow 50/udp
sudo ufw allow 51/udp
sudo ufw allow 500/udp
sudo ufw allow 4500/udp

8. Restart the VPN server strongswan

sudo ipsec restart


Client configuration

Android

I only set the following settings:

Type: IPSec Xauth PSK
Server:
IPSEC preshared key:
DNS server:
Username:
Password:

OSX

TO FOLLOW



36 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. I'm glad I found this web site, I couldn't find any knowledge on this matter prior to.Also operate a site and if you are ever interested in doing some visitor writing for me if possible feel free to let me know, im always look for people to check out my web site. save money with vpn

    ReplyDelete
  3. Help for all Microsoft Office Apps. Set up your Office 365 membership. Get help from the experts, you can tap on the link and get the best answer for your concern.
    Office.com/setup
    Office.com/setup

    ReplyDelete
  4. Positive web page source, where did u come up with the information on this posting? I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work.

    mcafee.com/activate | mcafee.com/activate

    ReplyDelete
  5. Norton Antivirus protect your computer, mobile and tablet against virus, malware, trojan and, other online threats. To get assistance from the Norton online support, just visit the official website of the Norton Antivirus by click on the link Norton.com/setup.
    Norton.com/setup

    ReplyDelete
  6. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. If you are looking for antivirus security for your PC and any other digital devices than. Visit my sites.


    www.webroot.uk.com

    ReplyDelete
  7. VITAL BENEFITS OF WEBROOT FOR USERS

    Quick scan is available.
    Protects from cyber attacks.
    Identifies harmful websites and ads.
    Asks before deleting any personal data.
    Two-way firewall protection is available.
    Passwords and bank details are protected.
    Keeps Android, Windows, Mac fast as ever.


    To know more details visit:- guide-to-download-install-and-activate-webroot-antivirus-using-webroot-com-safe-for-mac-windows-users


    webroot.com/safe | webroot.com/safe | central.bitdefender.com | eset.com/activate | webroot.com/safe | webroot.com/safe

    ReplyDelete
  8. WEBROOT ANTIVIRUS MINIMUM SYSTEM REQUIREMENTS
     

    Before installing Webroot, it is highly suggested to visit webroot.com/safe and match your system’s requirements accordingly. Other than that, here is the list of some elements that you need to match to access Webroot antivirus efficiently.
     
    For Windows Operating System:
     

    Version: Can be installed on Windows 10, 8, 8.1 and 7 (32-bit and 64-bit)
    Hard Disk Space: 15 MB
    Internet: Requires Internet access.
    Browser: Minimum 32-bit or 64-bit browser is required.
    RAM: 2 GB RAM recommended.
     
    For the Mac Operating System:
     

    Version: Can be installed on OS X 10.9, 10.10, 10.11, 10.12, and 10.13.
    Hard Disk Space: 15 MB
    Internet: Requires internet connection.
    Browser: Safari at least 7.0 or higher.
    RAM: Minimum of 128 MB recommended.

    To get full details visit:-   
    How to Download, Install & Activate WEBROOT Antivirus  |  How to Download, Install & Activate WEBROOT Antivirus |   How to Download, Install & Activate WEBROOT Antivirus

    For more technical support visit:- wixsite  |  mystrikingly  

    ReplyDelete
  9. Office.com/setup - MS Office provides amazing desktop applications such as Microsoft Word, PowerPoint, Excel, OneNote, Publisher, Access and Skype for business. The Office suite introduced by Microsoft is contributing to enhancing the performance of every section of society whether it is enterprises, school students, universities or individuals working in offices. The access to various applications are convenient for the users, and further information could be sought by visiting Office.com/setup

    ReplyDelete
  10. YouTube is using several people today and worldwide billions of users on YouTube. There you can watch amazing content, music, or the latest videos. If you want to connect YouTube on your gadget during this time you facing any type of error so you don't take tension. Few steps to resolve issues visit our website YouTube Activate follow the instructions or enjoying videos. But if you do not do these steps, you contact us our toll-free and there our expert team fix your issues immediately furthermore provides the finest solution.

    ReplyDelete
  11. Spirit Airlines Reservations Thanks for the information provided by you it’s really great to help from your side but I got the complete solution from the mentioned site

    ReplyDelete
  12. Spirit Airlines Booking A good Blog gives a lot more knowledge about this. I will continue to support your work. Thank you.

    ReplyDelete
  13. Thanks for sharing the useful information. You have mentioned all essential points for getting Assignment Help easily.Spirit Airlines Cancellation Policy

    ReplyDelete
  14. A debt of gratitude is in order for your understanding for your phenomenal posting.
    Garmin Express

    ReplyDelete
  15. Thanks for sharing, nice post! Post really provice useful information!

    ReplyDelete
  16. It is very easy to contact PayPal Netherlands and they will give you details via phone call or live chat if you are unable to use the phone. You can call their customer number and have your problems solved. You can also start PayPal's help chat service with just one click. In addition to the services, PayPal also helps with issues such as credit and debit card transfers.PayPal Nederland

    ReplyDelete
  17. Canon.com/ijsetup is a site that gives you a protected, secure, and dependable stage for downloading the driver. ... After the driver arrangement is done, you can utilize the product for controlling and commanding your printer to print your attractive records.canon.com/ijsetup | ij.start.cannon

    ReplyDelete
  18. If your printer is connected to your Windows 8 computer but does not appear in the list of printers to add in the control panel settings, you probably do not have the correct drivers installed. Although Windows 8 comes with more drivers than Windows 7, some printers may require you to install drivers. In most cases, Windows 8 will identify and download the correct drivers themselves. If it doesn't, open "Device Manager", locate your printer, and update the driver. If Windows is unable to update, you must either download the appropriate drivers from the printer manufacturer's website or install the drivers using the disc that came with the printer.Window Klantenservice Nederland

    ReplyDelete
  19. Like any other program, the Kindle app has a myriad of issues that crop up from time to time on your iOS, Android, or Amazon Kindle Fire device. While you want to read your purchased books, they may not load, the app may refuse to work, or a dark screen may appear that disturbs you when you are in a good mood. This isn't to say the app isn't problematic – far from it. The software functions normally, although it occasionally encounters issues due to the older version, installation of poorly written updates, connectivity issues, device problems, and other factors. Because you want to be able to read your recently downloaded or favorite books from your collection and make further purchases. We have arrived to assist you with your shopping and other needs. Here's the most current list of proven patches for the Kindle app on your devices. After the issue is resolved, go for a walk (optional).Kindle Contact Nederland

    ReplyDelete
  20. Defend against the unknown threats and proceed for Trend micro download with www.trendmicro.com/activate having Advanced Machine Learning Technology.If you have a Norton product key norton.com/setup and download Norton setup. Go through the 123.hp.com/laserjet provides wired and wireless.

    ReplyDelete
  21. Positive web page source, where did u come up with the information on this posting? I have read a few of the articles on your website now, and I really like your style. We are one of best home inspection companies in Maryland and provide classes and bring home inspection professionals. Get home inspection certification maryland with us.

    ReplyDelete
  22. Nice post
    here I want to say that,
    I am Elina Thomas, my company provides technical support to customers who have any issue with their laptop & computer(hardware and software), and printer, etc. Our technicians who have more knowledge about it will help you in resolving your issue properly within a minute, available 24*7.
    for any query support related to any software and hardware you can go to --------------------- Facebook Bellen

    ReplyDelete
  23. I subscribed to your Feed too.

    야동
    Feel free to visit my blog : 야설

    ReplyDelete
  24. The latest update of New World brings players new content such as new weapons, new rival factions, and weapon balance changes. In addition, it also introduced the Void Gauntlet, which is a new smart weapon that can play several different roles. This is also the most popular content of this update. In addition, if you need to use a lot of coins in the game, you can go to NewWorldCoins to buy New World Coins.

    ReplyDelete
  25. Canon Pixma MG 2522 inkjet printer is a wireless printer available with a 4-Color Cartridge Hybrid Ink System in XL that will see a less of replacement.
    Canon.com/ijsetup/mg2522 |
    Canon.com/ijsetup mg2522

    ReplyDelete
  26. https://gamebegin.xyz You are able to training by yourself. A pitching machine enables you to establish the speed of the ball. By packing numerous baseballs to the equipment, you can practice reaching without having a pitcher. This electronic device is perfect for these who wish to exercise baseball on your own. Pitching machines could be gathered at your community showing off merchandise retail store.

    ReplyDelete
  27. https://gameboot.xyz The thing is them on magazines as well as on TV, individuals who look like their forearms and hip and legs will explode as his or her muscle tissue are really huge! There is absolutely no require that you should acquire your system to this stage in the event you don't want to, as the easy tactics on this page will enable you to construct muscles within a healthy manner.

    ReplyDelete
  28. https://gamezoom.xyz Getting a exercise companion can significantly boost your muscle mass-constructing effects. Your partner can be quite a useful source of inspiration for sticking with your workout session, and forcing anyone to increase your attempts as you figure out. Using a dependable lover to work out with can also help keep you safe simply because you will always use a spotter.

    ReplyDelete
  29. Thanks for sharing this information. In fact, these descriptions are so powerful that I learned a lot by reading them. We hope that you will share such information in the future also.
    visit site

    ReplyDelete

Note: only a member of this blog may post a comment.